Thursday, 22 July 2010

Passwords, passwords, passwords.....

Inspired by the comment: "Why do I need a password when I'm the only one who uses the computer?"


I'm assuming if you are reading this then you have used one recently (hopefully!), but what's the point? Simply, passwords are the fortress protecting a wealth of YOUR data, your shopping list, your Amazon wishlist, your favourite sites, your Facebook information, all the information on your computer, even your credit card information.
Online retailers can implement the up-to-date security systems, the highest grade encryption, and an entire security team to protect the information on their servers (which includes your information), but what's the point if a bad guy can walk in the front door? A poor password is like building a wooden door complete with Yale lock onto the back of the Tower of London, all the protection can be bypassed.


So why do people choose short, dictionary based passwords? Simple, they are easier to remember. "password" is easier for a human to memorise than "&htR1!9I_1h", even though they are the same amount of characters. The problem is bad guys know this, and use it to their advantage.


So what can you do? Many people in the I.T. security field advocate "passphrases" (myself included!), that is using a phrase for the password. Thinking in the manner, you can create a long, strong passphrase which is easy to remember. "I hate dirty nappies" is exponentially stronger than "password", this can be proven on http://www.hammerofgod.com/passwordcheck.aspx. This website calculates how long it would take to crack (guess) a particular password. Using a computer which is capable of guessing a password 1 billion times a second, "password" would be cracked in 129 seconds, whilst "I hate dirty nappies" would take 52,530,122,724,423,900,000,000 years. That's a long time. Have a play with the site, but please do not use your real passwords, as the site says, there's no reason to risk it.
Another option is a password manager. These are pieces of software which securely store all your passwords on your computer. You set a master password in the program which will allow you access to all your other passwords. The better password managers can create complex passwords for you and auto fill them into websites, meaning you never have to remember them! But please use a passphrase as the master password for the software, you wouldn't want to undo all the good work would you?


In my line of work, we see weak passwords everywhere, and you don't need to be some super mystical ninja hacker to start guessing passwords. You can have a strong password and it be easy to remember, so start changing your passwords now.


Any questions are, as always, more than welcome.